Working in the healthcare industry can be extremely rewarding. Pursuing a business in this industry allows you to provide employees with job stability, great pay, benefits, and opportunities for personal and professional growth. Most importantly, working in the healthcare industry is your platform to help sick people and eventually improve the quality of their lives.
On the other side of the coin, staying compliant is challenging. Since you’re dealing with patients’ most sensitive and personal medical files, confidentiality is vital in the industry. In fact, anyone who is working in the healthcare industry is expected to adhere to the Health Insurance Portability and Accountability Act—otherwise known as HIPAA.
What Is HIPAA Compliance?
As mentioned above, individuals working in the healthcare industry regularly deal with sensitive information from and about their patients. Acquiring this information is essential to properly diagnose and treat them, but this should only ever be shared between the healthcare professionals attending to the patient’s case. This is where HIPAA comes in.
Simply defined, the Health Insurance Portability and Accountability Act (HIPAA) is the standard that covers entities, and business associates are expected to follow this when it comes to protecting patient health information (or PHI). Organizations operating in the healthcare industry should have the required network, equipment, and security measures to ensure that they comply with the rules set out in HIPAA.
Anyone providing payment, operations, and treatment in the healthcare setting, along with associates who have access to patient information, should meet the HIPAA compliance. Related business associates and other contractors should also follow HIPAA regulations.
Who Needs To Be HIPAA Compliant?
Under the HIPAA regulations, the following organizations should be HIPAA compliant:
- Covered entities: As defined by the HIPAA regulation, covered entities are organizations that collect, create, and transmit ePHI or electronic patient health information. Healthcare organizations that fall into this category are healthcare clearinghouses, healthcare insurance providers, and healthcare providers.
- Business associates: Under the HIPAA regulation, business associates are organizations that encounter and use ePHI or PHI over the course of work and have been contracted to perform on behalf of a covered entity. With the number of service providers that might handle and process ePHI and PHI, business associates cover many organizations, namely, practice management firms, billing companies, IT providers, shredding companies, email hosting services, accountants, attorneys, and many others.
Covered entities and/or business associates are expected to know and follow a set of HIPAA rules to maintain the safety and security of ePHI and PHI.
The rules under HIPAA are:
- HIPAA Privacy Rule: The HIPAA Privacy Rule only applies to covered entities, not business associates. The HIPAA privacy rule outlines standards for patients’ rights to access PHI, and healthcare practitioners’ rights to grant access or deny access to PHI. This rule also covers the use and release of forms and notices.
- HIPAA Security Rule: The HIPAA Security Rule is a national standard that aims to secure the maintenance, handling, and transmission of ePHI. Unlike the HIPAA Privacy Rule, the HIPAA Security Rule applies to both the covered entities and business associates. The two parties are expected to know and follow the HIPAA Security Rule as they regularly share information about patients.Under the HIPAA Security Rule, covered entities and business associates should implement the technical, physical, and administrative safeguards to ensure the integrity and safety of ePHI. Any policies applied as compliance to the HIPAA Security Rule should be documented under the organization’s HIPAA policies and procedures. Staff working for these organizations should also be trained once a year with documentation.
- HIPAA Breach Notification Rule: The HIPAA Breach Notification Rule outlines the standards that covered entities and business associates have to follow when there is a data breach containing or involving ePHI and PHI. Organizations are expected to report any breach to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) (or HHS OCR), but the procedure to follow varies depending on the kind of breach committed.
- HIPAA Omnibus Rule: For HIPAA to apply to business associates, the HIPAA Omnibus Rule was created. This is an addendum to the HIPAA regulation that mandates all business associates to be HIPAA compliant, as well.The HIPAA Omnibus Rule states that business associates should also follow Business Associates Agreements or BAAs. This agreement involves the use of contracts between a covered entity and a business associate, or between two or more business associates, before any ePHI or PHI is shared or transferred.
Why Is There a Need for HIPAA Compliance?
The Health Insurance Portability and Accountability Act was signed into law on August 21, 1996, to fulfill two goals: to safeguard patients’ health information and improve the efficiency of healthcare workers in delivering patient care.
The advent of technology has improved the daily operations of the healthcare industry. Through computerized operations, such as computerized physician order entry systems and electronic health records, it’s easier for healthcare practitioners to gather and store information without the need to keep piles of paperwork.
However, it is also because of technology that patients’ information is at risk. Hackers have become more skilled and have been using newer tools to steal patient information and conduct fraudulent activities. HIPAA compliance is set in place to prevent such situations from happening.
Moreover, HIPAA compliance was also created to help healthcare practitioners make the most out of technological advancements relevant to their fields. The Security Rule, one facet of HIPAA compliance, is set to allow covered entities to implement procedures and policies using technology that are suited to the needs of their patients and the structure of the organization.
The Security Rule under HIPAA outlines the requirements to uphold the confidentiality of electronic patient health information. These rules have been set in place to prevent the sharing and use of electronic patient data without the approval of the patient and their attending physician.
By complying with HIPAA regulations, healthcare organizations, along with their healthcare practitioners, are able to:
- Ensure the availability, access, and security of patient health information to build and maintain trust between patients and practitioners.
- Adhere to the HIPAA and HITECH (The Health Information Technology for Economic and Clinical Health) Act that encourages healthcare practitioners to adopt and utilize electronic health records and improve security protections for their organization’s and patient’s healthcare data for easy access, audit, data transmission, device security, and integrity controls.
- Maintain optimal control and visibility of sensitive data acquired and used by the healthcare organization.
What Are the Requirements for HIPAA Compliance?
Under HIPAA compliance, healthcare organizations and practitioners are required to implement the best data protection solutions to ensure that patient data in all forms, such as documents, emails, and scans, are secured. These solutions also allow healthcare practitioners to share data in the most secure way possible to provide the best patient care.
Patients put their full trust and confidence in these healthcare organizations, and it’s the duty of these organizations and their practitioners to uphold that trust and take care of any patient information.
For covered entities and business associates to comply with the HIPAA regulation, they should adhere to the following technical requirements:
- Network encryption: This is a mandatory requirement among all healthcare organizations. Any electronic patient health information (ePHI) should meet the NIST cryptographic standards whenever data is transmitted within an external network.
- Control access: Healthcare practitioners who will acquire and access patient health information are assigned with centrally-controlled unique usernames and PIN codes. Procedures and policies should also be set to determine when and how healthcare practitioners should disclose or release electronic patient health information during emergencies.
- Authenticate ePHI: Any health information gathered from the patients must be authenticated to protect it from unauthorized access and changes, accidental destruction, and corruption.
- Encrypt devices: Devices used to store and access the system should be able to encrypt a large volume of data. This is especially important for healthcare organizations that are reliant on laptop devices and mobile phones.
- Control activity audits: To determine how many times ePHI is accessed and how it’s manipulated, detailed logging is a must. This will also create accountability for health practitioners who access the system.
- Enable automatic logoff: Anyone who has access to the systems should be automatically logged off after a minute of inactivity. This will lessen the susceptibility of data being stolen when devices are left idle.
Aside from the technical requirements, covered entities and business associates should also adhere to some physical requirements to become HIPAA compliant. Some of these physical requirements are:
- Control facility access: You should carefully track individuals who have physical access to data storage. Along with healthcare practitioners, you should record repairmen and even custodians who get near the organization’s data storage. Policies on authorized entries should be made and communicated to everyone in the organization, as well.
- Manage organizations: A policy that outlines which specific workstations can access ePHI and how digital screens should be guarded against onlookers even at a distance should be set in place. This should include rules on how workstations should be properly used.
- Protect mobile: There should be a mobile device policy that requires healthcare practitioners to remove data after use to prevent it from being leaked or shared without the approval of the patient or the organization.
- Track servers: As part of a precautionary measure, any infrastructure used in the organization should have an inventory and information on where it’s located. When moving servers, this data should be completely copied first.
The tools and equipment that covered entities and business associates invest in can increase the security of ePHI. However, these aren’t enough to ensure that ePHI is stored safely and that only the attending physicians of the patients have access to it.
For covered entities and business associates to comply with HIPAA regulations, they should also adhere to the following administrative requirements:
- Risk assessment: Risk assessment should be done regularly with the key personnel of the healthcare organization to properly and carefully identify, analyze, and address risks that might compromise the security of all health data.
- Training staff: Everyone working in the healthcare organization should be trained on how to properly store ePHI and when this should be shared with the right people. Every staff member should also learn how to recognize cybersecurity threats, namely deception, hacking, and phishing, and how to address the problem.
- Build contingencies: The trends in the healthcare industry can be unpredictable, which is why organizations should achieve on-going business continuity. Preparation processes as a response to disasters, for example, the data will stay safe and ensure that it’s not leaked.
- Test contingencies: Any contingencies set in place to protect data during emergencies should be checked regularly. Restoration policies and backup systems should also be part of your contingency plan.
- Log all security incidents: Regardless of if the attempt was successful or not, any security incidents should be documented. This will help the organization improve its security protocols and prevent security breaches in the future.
What Is a HIPAA Violation?
In simple terms, a HIPAA violation is any breach in the healthcare organization’s compliance programs that compromises the safety and integrity of the ePHI and PHI. However, not all data breaches are considered a HIPAA violation. A data breach is only considered as a HIPAA violation when it’s a result of outdated, incomplete, or ineffective HIPAA compliance programs.
For example, it’s considered a data breach when a healthcare practitioner’s unencrypted company laptop that has access to medical records has been stolen. This example will only become a HIPAA violation when the healthcare organization doesn’t have a policy requiring devices to be encrypted or being taken off-site.
Other causes of HIPAA violations and fines are:
- Business associate breaches
- Discussing PHI outside of the office
- Malware incidents
- Office break-ins
- Ransomware attacks
- Sending ePHI or PHI to the wrong contact or patient
- Stolen laptops, USB devices, or phones
What Is the HIPAA Breach Notification Rule?
When breaches are committed either by the covered entity or business associate, it’s vital that they know who to notify. The sooner the person acts, the lesser damage the breach can cause.
Here’s an outline of how the HIPAA Breach Notification Rule works:
- Educate yourself on the notification process: When a breach involving ePHI happens, you need to inform your patients and the HHS Department. If the breach involves less than 500 patient records, you need to submit a small-scale hack form available on the OCR website. The submission of this form should be made once the initial investigation on the breach has been conducted.
On the other hand, if the breach involved more than 500 patient records, you must also notify the media about the situation. This will prevent the general public from continuing using the system that caused or triggered the breach.
- Pay attention to your breach notification message: Because breaches in HIPAA compliance are a serious matter, you can’t simply send any message to the HHS OCR to let them know about the breach. Under the HIPAA Breach Notification Rule, the breach notification you send to the authorities should contain the following elements:
- A detailed description of the ePHI that was breached and personal identifiers involved in the situation;
- Names and positions of individuals who gained unauthorized access to PHI, ePHI, or any relevant information;
- Information on whether the details stated in the message were simply taken or seen; and
- The degree to which risk mitigation strategies were applied and if these succeeded.
What Happens When HIPAA Regulations Are Violated?
Under the Breach Notification Rule, covered entities and business associates have to follow protocols the moment they discover that protected health information has been exposed, compromised, lost, or stolen.
However, there are instances when covered entities and business associates fail to comply with the Breach Notification Rule of HIPAA, and violations are only discovered during random audits, breach notifications, and reports from the media and governmental agencies.
As described in the HIPAA Enforcement Rule, there are four levels of violations and HIPAA violation penalties:
- The covered entity or business associate was unaware and would have remained unaware of the breach based on reasonable measures. The person involved in this situation can be fined $100 up to $50,000.
- “Reasonable cause” happens when the violation was caused by an element that would prompt action from an ordinary person. In this situation, a person can be fined from $1,000 to $50,000.
- “Wilful neglect” is when the violation was caused by intentional avoidance but is rectified within 30 days. The minimum fine for this incident is $10,000 but can increase up to $50,000.
- Wilful neglect when not mitigated within 30 days can result in $50,000 in fines.
When an employee breaks any of the HIPAA regulations, the violation could be dealt with internally, terminated from work, face sanctions from professional boards, or face criminal charges that include imprisonment and fines.
What happens next after your organization or employee breaks any of the HIPAA regulations will depend on the severity and frequency of the violation. However, the decisions of your organization’s stakeholders, the professional boards, and federal regulators will depend on the nature of the violation, your knowledge on whether the HIPAA regulations were violated, the harm caused by the violations, and the number of people affected by the violation.
Work With Attorneys
Being compliant with HIPAA is vital for anyone working in the healthcare industry, which is why you should make sure that you adhere to the rules set under this guideline. Wilfully violating any of the HIPAA rules will require you to pay a hefty amount of money, and you may even be sent to jail.
If you want to avoid this, be sure to work with the right attorney. An experienced HIPAA violation attorney can help organizations determine and implement the appropriate identity protection services to ensure that covered entities, business associates, and patients securely share and store information.